Case study: Weekly sweeps to spot any weaknesses for post service
By Dan Ilett
Published: 14 June 2005 11:25 GMT
The Royal Mail is tightening security practices by sweeping its networks for vulnerabilities on a weekly basis.
The postal service, which is starting to use more web-based business processes, has outsourced vulnerability and penetration testing to security company QinetiQ.
Martin Roe, Royal Mail's IT security manager, said: "What we were trying to achieve was periodic penetration tests five times a year. But they were quite irregular and I was worried about the gaps of time in between them."
Roe said he wanted more regular tests performed to ensure hackers stood no chance of breaking in: "I wanted to try and automate the process. I looked at vulnerability scans and we put it out to tender to see who could do this on a weekly basis instead of a few times a year."
He said vulnerability scanning on individual products was taking up valuable time for his staff, so the company opted for three services: QinetiQ's Managed Vulnerability Assessment and Alerting Service, a general security health check, and Qualys' Automated Scanning Service.
QinetiQ packaged the services to guard against the threats deemed to be most severe to Royal Mail.
Roe said he now receives weekly status reports with advice on any action his team needs to take, such as which software patches to apply. As a result, staff can focus on other areas of IT: "I'm now getting the sort of information I need. It follows my business logic. QinetiQ haven't an axe to grind and will provide me with straight facts. One of the nice things about it is I can set service level agreements with vendors."
QinetiQ's tests found Royal Mail's networks were more secure than Roe had thought: "It wasn't as bad as I was expecting it to be. We can spot things so much more quickly now. We now know the infrastructure is fairly sound so we can focus on applications."
Roe said he was happy with QinetiQ's work, and could even trust their staff like one of his own: "I have a rising endorsement for them. If I have a request beyond what they are obliged to do, they drop everything to do it. It's like having an employee at the end of the phone."
URGENT - PEN TESTER - WEB APPS (HOMEBASED / REMOTE) to start THIS MONDAY; Dureation 1 WEEK + EXTENSION (Cica 20 days) for an urgent security pen ...
One of our key clients is an independent, stable and well respected corporate data security specialist with a burgeoning Penetration Testing and ...
It is essential for this role to be a certified CHECK Team member status and have solid experience of penetration testing in a commercial ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Is Your Enterprise Architected for Tomorrow's Growth?
Improving IT service delivery through an integrated approach to software asset management...
TechRepublic Resource Guide: Software as a Service (SaaS) for Small and Midsize Businesses...
Download a Free Trial of SmartDraw: Learn why SmartDraw is the ideal alternative...
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Clive Longbottom Windows 7: Not perfect - but ready for prime time Microsoft's latest OS fixes most of Vista's ills - but still has challenges ahead
Stephen Kleynhans Mind the details with Windows 7 Just because it might work better than Vista, it doesn't mean you can be sloppy